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(54) A method generating digital tolcens from a subset of addressee information 

(57) A method for generating postage evidence 
includes providing addressee information separated 
into a plurality of address fields. A predetermined sec- 
tion of each address field, appropriate for authentication 
purposes, is selected to obtain selected address data. 
An error correction code is generated for the selected 
address data and a secure hash is generated of the 
selected address data. The secure hash Is sent with 
postal data, including postage amount and date, to a 
digital token generation process that generates at least 
one digital token using the secure hash for evidencing 
postage. An indicia including the digital token and the 
postal data is generated and then printed on a mail 
piece with the error con'ection code and the addressee 
information. In a digital token verification process, the 
addressee information and the error connecting code are 
read from the mailpiece and the postal data is read from 
the indicia. An error correction algorithm is used to 
determine if errors are correctable. If correctable, a pre- 
determined section of each address field is selected to 
obtain selected address data. A secure hash of the 
selected address data is generated and sent with the 
postal data to a digital token verification process. 
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Description 

The present invention relates to advanced postage 
payment systems and, more particularly, to advanced 
postage payment systems having pre-computed post- s 
age payment information. 

The present application is related to the following 
U.S. Patent Applications Serial Nos. [Attorney Dockets 
E-415, E-416. E-417. E-418, E-419, E-420, E-421. E- 
444. E-452 and E-463]. each filed concurrently here- io 
with, and assigned to the assignee of the present inven- 
tion. 

Postage metering systems are being developed 
which enploy digital printers to print encrypted informa- 
tion on a mallpiece. Such metering systems are pres- 75 
ently categorized by the United States Postal Service as 
either closed systems or open systems. In a closed sys- 
tem, the system functionality is solely dedicated to 
metering activity. A closed system metering device 
includes a dedicated printer securely coupled to a 20 
metering or accounting function. In a closed system, 
since the printer is securely coupled and dedicated to 
the meter, printing cannot take place without account- 
ing. In an open metering system the system functional- 
ity is not dedicated solely to metering activity. An open 25 
system metering device Includes a printer that is not 
dedicated to the metering activity, thus freeing system 
functionality for multiple and diverse uses in addition to 
the metering activity. An open system metering device is 
a postage evidencing device (PED) with a non-dedi- so 
cated printer that is not securely coupled to a secure 
accounting module. 

Typically, the postage value for a mailplece is 
encrypted together with other data to generate a digital 
token which is then used to generate a postage indicia 35 
that is printed on the mailplece. A digital token is 
encrypted information that authenticates the informa- 
tion imprinted on a mailplece Including postal value. 
Examples of systems for generating and using digital 
tokens are described in U.S. Patent No. 4,757,537, 40 
4,831.555, 4,775.246. 4.873,645 and 4,725,718, the 
entire disclosures of which are hereby incorporated by 
reference. These systems enploy an encryption algo- 
rithm to encrypt selected information to generate at 
least one digital token for each mallpiece. The encryp- 45 
tion of the information provides security to prevent alter- 
ing of the printed information in a manner such that any 
misuse of the tokens is detectable by appropriate verifi- 
cation procedures. 

Typical information which may be encrypted as part so 
of a digital token includes origination postal code, ven- 
dor identification, data identifying the PED, piece count, 
postage amount, date, and, for an open system, desti- 
nation postal code. These items of information, collec- 
tively referred to as Postal Data, when encrypted with a ss 
secret key and printed on a mail piece provide a very 
high level of security which enables the detection of any 
attempted modification of a postal revenue block or a 
destination postal code. A postal revenue block Is an 



image printed on a mail piece that includes tiie digital 
token used to provide evidence of postage payment. 
The Postal Data may be printed both in encrypted and 
unencrypted form in tiie postal revenue block. Postal 
Data senses as an input to a Digital Token Transforma- 
tion which is a cryptographic transformation computa- 
tion that utilizes a secret key to produce digital tokens. 
Results of the Digital Token Transformation, i.e., digital 
tokens, are available only after completion of tiie 
Accounting Process. 

Digital tokens are utilized in both open and closed 
metering systems. However, for open metering sys- 
tems, the non-dedicated printer may be used to print 
other information in addition to the postal revenue block 
and may be used in activity other than postage evidenc- 
ing. In an open system PED, addressee information is 
included in the Postal Data which is used in the genera- 
tion of the digital tokens. Such use of the addressee 
information creates a secure link between the mailplece 
and the postal revenue block and allows unambiguous 
authentication of the mail piece. 

Prior open metering system designs use the desti- 
nation postal code (in U.S.A. this is the 11 digit ZIP 
code) to identify tiie address. This approach has several 
problems. For international mail, the destination postal 
code may not exist. If one does exist, a mailer may not 
have access to it. If the mailer guesses an incon'ect 
postal code, the cost of returning and conrecting tiie 
mall is very high for tiie postal service. The destination 
postal code does not identify the recipient of the mail, so 
mail can be sent fraudulently to several people in tiie 
same building. 

The present invention resolves the aforementioned 
difficulties, and in addition provides the postal service 
witti means to improve the rate of correct reading of tiie 
delivery address printed on the mailplece. In tiiis man- 
ner, tiie present invention significantly reduces tiie cost 
of processing the mall. 

The present invention provides a method of improv- 
ing tiie rate of accurate reading of addressee informa- 
tion for use in a token generation and verification 
process for an open metering system. An open meter- 
ing system must include delivery address information, 
such as the 1 1 -digit ZIP code, in the calculation of digital 
tokens to protect the system from a fraudulent copying 
of the tokens. 

In accordance with tiie present invention, a mes- 
sage digest or hash of part of the address data is gen- 
erated in the user's computer and sent to the open 
system meter to produce digital tokens ttiat include 
delivery address data. In addition, error con'ecting code 
is generated for at least the same part of the delivery 
address data. The address and the error con'ecting 
codes are both printed on tiie mailplece. The en^or cor- 
recting code may be printed using characters, or using 
a barcode representation. The tokens are verified by 
reading tiie delivery address data on the envelope and 
repeating ttie token generation process. The error cor- 
rection code is used to help assure correct reading of 
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the data. 

It has been discovered that the transformations 
necessary to generate a message digest and to gener- 
ate the en'or correcting codes can be provided in soft- 
ware that can be used in the mailer's confputer and s 
does not require a large changing data base. The 
method of the present invention provides security that 
prevents tampering and false evidence of postage pay- 
ment and provides the ability to do batch processing of 
digital tokens. 10 

In accordance with the present invention a method 
for generating postage evidence includes providing 
addressee information separated into a plurality of 
address fields. A predetermined section of each 
address field, appropriate for authentication purposes, is 
is selected to obtain selected address data. An error 
confection code is generated for the selected address 
data and a secure hash is generated of the selected 
address data. The secure hash is sent with postal data, 
including postage aoiount and date, to a digital token 20 
generation process that generates at least one digital 
token using the secure hash for evidencing postage. An 
indicia including the digital token and the postal data is 
generated and then printed on a mall piece with the 
error correction code and the addressee information. In 25 
a digital token verification process, the addressee infor- 
mation and the enror conrecting code are read from the 
mailpiece and the postal data is read from the indicia. 
An error correction algorithm is used to determine if 
errors are con-ectable. If correctable, a predetermined so 
section of each address field is selected to obtain 
selected address data. A secure hash of the selected 
address data is generated and sent with the postal data 
to a digital token verification process. 

The above and other objects and advantages of the ss 
present invention will be apparent upon consideration of 
the following detailed description, taken in conjunction 
with accompanying drawings, in which like reference 
characters refer to like parts throughout, and in which: 

40 

Fig. 1 is a block diagram of a PC-based metering 
system in which the present invention operates; 
Fig. 2 is a schematic block diagram of the PC- 
based metering system of Fig. 1 including a remov- 
able vault card and a DLL in the PC; 45 
Fig. 3 is a schematic block diagram of the DLL in 
the PC-based metering system of Fig. 1 including 
interaction with the vault to issue and store digital 
tokens; 

Fig. 4 is a flow chart of the generation of evidence so 
of postage in accordance with the present inven- 
tion; and 

Fig. 5 is a verification process in accordance with 
the present invention. 

55 

In describing the present invention, reference is 
made to the drawings, wherein there is seen in Rgs. 1- 
3 an open system PC-based postage meter, also 
refen-ed to herein as a PC meter system generally 



referred to as 10. in which the present invention per- 
forms the digital token process. PC meter system 10 
includes a conventional personal computer configured 
to operate as a host to a removable metering device or 
electronic vault, generally referred to as 20. in which 
postage funds are stored. PC meter system 10 uses the 
personal computer and its printer to print postage on 
envelopes at the same time it prints a recipient's 
address or to prim labels for pre-addressed return enve- 
lopes. As used herein, the term personal computer is 
used generically and refers to present and future micro- 
processing systems with at least one processor opera- 
tivety coupled to user interface means, such as a 
display and keyboard, and storage media. The personal 
computer may be a workstation that is accessible by 
more than one user. It will be understood that although 
the pretended embodiment of the present invention is 
described with regard to a postage metering system, 
the present invention is applicable to any value metering 
system that includes a transaction evidencing. 

The PC-based postage meter 10 includes a per- 
sonal computer (PC) 12. a display 14, a keyboard 16. 
and an non-secured digital printer 18, preferably a laser 
or ink-jet printer. PC 12 includes a conventional proces- 
sor 22. such as the 80486 and Pentium processors 
manufactured by Intel, and conventional hard drive 24, 
f bppy drive(s) 26, and memory 28. Electronic vault 20, 
which is housed in a removable card, such as PCMCIA 
card 30, is a secure encryption device for postage funds 
nfianagement, digital token generation and traditional 
accounting functions. PC meter system 10 may also 
include an optional modem 29 which is located prefera- 
bly in PC 12. Modem 29 may be used for communicat- 
ing with a Postal Service or a postal authenticating 
vendor for recharging funds (debit or credit), in an alter- 
nate embodiment the modem nfiay be located in PCM- 
CIA card 30. 

PC meter system 10 further includes a Windows- 
based PC software module 34 (Figs. 3 and 4) fliat is 
accessible from conventional Windows-based word 
processing, database and spreadsheet application pro- 
grams 36. PC software module 34 includes a vault 
dynamic link library (DLL) 40, a user interface module 
42, and a plurality of sub-modules that control ttie 
metering functions. DLL module 40 securely communi- 
cates with vault 20 and provides an open interface to 
Microsoft Windows-based application programs 36 
tiirough user interface module 42. DLL module 40 also 
securely stores an indicia image and a copy of tiie 
usage of postal funds of tiie vault. User interface mod- 
ule 42 provides application programs 36 access to an 
electronic indicia image from DLL module 40 for printing 
tiie postal revenue block on a document, such as an 
envelope or label. User interface module 42 also pro- 
vides application programs the capability to initiate 
remote refills and to perform administrative functions. 

PC-based meter system 10 operates as a conven- 
tional personal computer with attached printer tiiat 
becomes a postage meter upon user request. Printer 18 
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prints all documents normally printed by a personal 
computer, including printing letters and addressing 
envelopes, and in accordance with the present inven- 
tion, prints postage indicia. 

The vault is housed in a PCiViCIA I/O device, or 
card, 30 which is accessed through a PCMCIA control- 
ler 32 in PC 12. A PCMCIA card is a credit card size 
peripheral or adapter that conforms to the standard 
specification of the personal Computer Memory Card 
International Assodation. Referring now to Figs. 2 and 
3, the PCMCIA card 30 includes a miaoprocessor 44. 
redundant non-volatile memory (NVM) 46, clock 48, an 
encryption module 50 and an accounting module 52. 
The vault includes an interface 56 that communicates 
with the host processor 22 through PCMCIA controller 
32. The encryption module 50 may implement the NBS 
Data Encryption Standard (OES) or another suitable 
encryption scheme. In the preferred embodiment, 
encryption module 50 is a software module. It will be 
understood that encryption module 50 could also be a 
separator device, such as a separate chip connected to 
microprocessor 44. Accounting module 52 may be 
EEPROM that incorporates ascending and descending 
registers as well as postal data, such as origination ZIP 
Code, vendor identification, data identifying the PC- 
based postage meter 10. sequential piece count of the 
postal revenue block generated by the PC-based post- 
age meter 10, postage amount and the date of submis- 
sion to the Postal Service. As is known, an ascending 
register in a metering unit records the amount of post- 
age that has been dispensed, i.e., issued by the vault, in 
all transactions and the descending register records the 
value, i.e., amount of postage, remaining in the meter- 
ing unit, which value decreases as postage is issued. 

The functionality of DLL 40 is a key component of 
PC-base meter 10. DLL 40 includes both executable 
code and data storage area 41 that is resident in hard 
drive 24 of PC 12. In a Windows environment, a vast 
majority of applications programs 36, such as word 
processing and spreadsheet programs, communicate 
with one another using one or wore dynamic link librar- 
ies. PC-base meter 10 encapsulates all the processes 
Involved in metering, and provides an open interlace to 
vault 20 from all Windows-based applications capable 
of using a dynamic link library. Any application program 
36 can communicate with vault microprocessor 44 in 
PCMCIA card 30 through DLL 40. 

DLL 40 includes the following software sub-mod- 
ules. Secure communications sub-module 80 controls 
communications between PC 12 and vault 20. Transac- 
tion captures sub-module 82 stores transaction records 
in PC 12. Secure indicia image creation and storage 
sub-module 84 generates an indicia bitmap image and 
stores the image for subs^uent printing. Application 
interface sub-module 86 interfaces with non-metering 
application programs and issues requests for digital 
tokens in response to requests for indicia by the non- 
metering application programs. Detailed descriptions of 
PC meter system 10 and the digital token generation 



process are provided in related U.S. Patent Applications 
Serial Nos. [Attorney Docket E-421] and [Attorney 
Docket E-4161 filed concunrently herewith, each of 
which is incorporated herein in its entirety by reference. 

5 Since printer 18 is not dedicated to the metering 
function, issued digital tokens may be requested, calcu- 
lated and stored in PC 12 for use at a later time when, 
at a user's discretion, corresponding indicia are gener- 
ated and printed. Such delayed printing and batch 

10 processing is described in wore detail in co-pending 
U.S. Patent Application Serial No. [Attorney Docket E- 
452], which is incorporated herein in its entirety by refer- 
ence. 

15 Digital Token Generation Process 

In accordance with tiie present invention, when a 
request for digital token is received from PC 12, vault 20 
calculates and issues at least one digital token to PC 12 

20 in response to tiie request. The issued digital token is 
stored as part of a transaction record in PC 12 fa print- 
ing at a later time. In the preferred embodiment of the 
present invention, tiie transaction record is stored in a 
hidden file in DLL storage area 41 on hard drive 24. 

25 Each transaction record is indexed in tiie hidden file 
according to addressee information. It has been discov- 
ered that this method of issuing and storing digital 
tokens provides an additional benefit that one or more 
digital tokens can be reissued whenever a token has not 

30 been printed or if a problem has occurred preventing a 
printing of an indicia witti the token. 

By storing digital tokens as part of transaction 
records in PC 12 tiie digital tokens can be accessed at 
a later time for tiie generation and printing of indicia 

35 which is done in PC 12. Furthermore, if a digital token is 
lost, i.e., not properly printed on a mailpiece, tiie digital 
token can be reissued from DLL 40 rather than from 
vault 20. The storage of transaction records that include 
vault status at tiie end of each transaction provMes a 

40 backup to the vault with regard to accounting informa- 
tion as well as a record of issued tokens. The number of 
transaction records stored on hard drive 24 may be lim- 
ited to a predetermined number, preferably including all 
transactions since ttie last refill of vault 20. 

45 

Postage Evidence Generation and Verification 

Referring now to Fig. 4. tiie process for generating 
postage evidence for a mailpiece is described. At 400, 

50 delivery address fields, including recipient, street, city, 
state and zip code, are entered tiirough keyboard 16 
into PC 12. At 402, a predetermined appropriate section 
of each address field, for example, tiie first fifteen char- 
acters of each line, is selected for authentication. An 

55 error connecting code Is generated, at 404, for the 
selected address data using, for example. Reed Solo- 
mon or BCH algorithms. At 406. a secure hash of tiie 
address data using, for example, the MD5 message- 
digest algoritiim which Is described in a paper The 
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MD5 Message-Digest Algorithm" by R. Rivest for MIT 
Laboratory for Computer Science and RSA Data Secu- 
rity in April 1992. PC 12. at 408, sends the secure hash, 
postage required and date with a request for digital 
token to vault 20. At 410. PC 12 receives the digital s 
token from vault 20. PC 1 2 then generates an indicia as 
previously described. The en-or connecting code is 
printed on the mailpieces in alphanumeric characters or 
barcode format. 

Referring now to Fig. 5. at 420 an OCR reads the io 
delivery address from the mailplece and the postal data 
from the indida. At 422, using an OCR or barcode 
reader, the error correcting code is read. An error cor- 
rection algorithm is performed, at 424, using the error 
correcting code. If errors are not conrectable at 426. is 
then the recognition process is notified of a failure at 
428. If correctable, at 430 the appropriate section of 
each address field, as at 402. is selected for authentica- 
tion. At 432. a secure hash of the selected address data 
is generated using the same algorithm as at 406. The 20 
secure hash and the postal data are sent to the verifier, 
at 434, which generates digital tokens that are com- 
pared to the digital tokens printed on the mailplece to 
complete the verification. 

The present invention provides several benefits for 25 
the open system digital token generation process, 
including the improvement of the rate of correct reading 
of the delivery address during the verification process. 

It will be understood that the present invention is 
not limited to addressee information or to an open post- so 
age metering system. The present invention applies to 
any transaction evidencing system in which a block of 
information is used to authenticate a document and the 
information is later scanned from the document in the 
verif ication process. 35 

Batch Processing 

The present invention is suitable for generating a 
batch of tokens for addresses in a mailing list rather 40 
than entering such list of addressees one at a time. The 
batch of tokens are part of a batch of transaction 
records, ttiat are indexed in tiie transaction file in the 
DLL storage area 41, which are later used to generate 
indicia images when printing envelopes for the mailing 45 
list. Such batch processing would be useful, for exam- 
ple, to production mailers which often have databases 
of addresses from which to generate mail. These data- 
bases are usually pre-processed and sorted to take 
advantage of postal discounts and recipient profiles for so 
direct marketing opportunities. 

In an alternate embodiment, a PC-based open 
metering system is part of a network witii tiie vault con- 
nected to a server PC and the user requesting postage 
from a user PC. The token generation process would ss 
proceed as previously described except that tiie vault 
functions, including token generation, would occur in the 
server PC or tiie vault card connected thereto. The 
server PC also stores a record of all transactions for 



backup and disaster recovery purposes. TTie user PC 
would store tiie transaction records, including issued 
tokens, on its hard drive and would generate indicia cor- 
responding thereto. This configuration would allow mul- 
tiple users to send a letter to the same addressee 
without tiie token generation being inhibited. 

While the present invention has been disclosed and 
described witfi reference to a single embodiment 
ttiereof. it will be apparent, as noted above ttiat varia- 
tions and modifications may be made tiierein. It is. thus, 
intended in the following claims to cover each variation 
and modification ttiat falls within tiie true spirit and 
scope of tiie present invention. 

In the foregoing, ttie following attorney docket refer- 
ences indicate tiie US-applications shown in the follow- 
ing table. All tiiese applications have corresponding 
European Applications and are hereby incorporated 
herein by reference: 

E-415 Serial Na 08/575.106 

E-416 Serial No. 08/575,107 

E-417 Serial No. 08/574.746 

E-418 Serial No. 08/574.745 

E-419 Serial No. 08/575,110 

E-420 Serial No. 08/574,743 

E-421 Serial No. 08/575.112 

E-444 Serial No. 08/575,109 

E-452 Serial No. 08/575.104 

E-463 Serial No. 08/574,749 

E-466 Serial Na 08/575.111 

E-462 Serial No. 08/588.499 

Claims 

1. A method for verifying postage evidencing in an 
open metering system, ttie method comprising ttie 
steps of: 

generating at an open metering system an 
error correction code for selected sections of a 
destination address; 

generating a first secure hash of the selected 
sections of the destination address; 
generating at least one digital token using the 
first secure hash, postage amount and date; 
generating an indicia including the digital token 
and postal data corresponding to ttie destina- 
tion address; 

printing the indicia, ttie destination address and 
the error correction code on a mailplece; 
receiving the mailplece for verification of post- 
age evkiencing; 

reading the error correction code printed on tiie 
mailplece and the postal data from the indicia 
using an optical character reader; 
performing an error correction algoritiim on ttie 
error correction code to determine if errors are 
correctable; 

if correctable, generating a second secure 
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hash of the selected sections of the destination 
address; 

verifying the postage evidencing on the mail- 
piece from the second secure hash and the 
postal data read from the mailpiece. s 

2. A method for authenticating postage evidencing, 
the method comprising the steps of: 

providing addressee information separated into io 
a plurality of address fields; 
selecting a predetermined section of each 
address field to obtain selected address data, 
each section being appropriate for authentica- 
tion purposes; is 
generating an error conrection code for the 
selected address data; 

generating a first secure hash of the selected 
address data; 

sending the first secure hash and postal data, 20 

including postage amount and date, to a digital 

token generation process; 

generating at least one digital token using the 

first secure hash for evidencing postage; 

generating an indicia including the digital token 25 

and the postal data; and 

printing the indicia, the addressee information, 

and the error correction code on a mail piece. 

3. The method of claim 1 comprising the further steps so 
of: 

reading the addressee information from the 
mailpiece and the postal data from the indicia; 
reading the error correcting code; 35 
performing an error correction algorithm to 
determine if errors are correctable; 
if correctable, selecting a predetermined sec- 
tion of each address field to obtain selected 
address data, each section being appropriate 40 
for autiientication purposes; 
generating a second secure hash of the 
selected address data; and 
verifying tiie postage evidencing using the sec- 
ond secure hash and tiie postal data. 45 

4. The method of claim 3 comprising tiie further step 
of: 

informing a recognition process of a failure so 
whenever enrors are not con'ectable. 
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FIG. 3 
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FIG. 4 
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